Cyber Exercising 101

Exercise, exercise, exercise. Then exercise more…

Kevin Sandschafer
, COO & VP of Cyber Risk & Assurance
, White Tuque
Group of people doing mermaid exercise on pilates reformers in fitness center

With cyber-attacks continuing to increase in volume, velocity, and impact, organizations need to take proactive measures to ensure their teams are prepared for the inevitable.  Tabletop exercises are an excellent, low-cost activity organizations MUST consider adding to their overall Information Security Program. 

As shown with recent attacks (MGM, T-Mobile, Suncor), advanced threat actors continue to prove that they are capable of penetrating even the most advanced defense networks.  Exercises allow Incident Response Teams (IRTs) the opportunity to practice their IR protocols in a controlled environment, allowing teams to focus on problem areas, while ensuring team members have a clear understanding of their roles and responsibilities.           

Value

The value is simple.  The cost of not being prepared will far exceed the investment needed to proactively prepare your organization.  Operational outages, data exposure, and regulatory penalties all grow exponentially due to ineffective or inefficient responses.    

Additionally, exercises in many cases will lead to improvement opportunities that will result in the reduction of the likelihood of an attack being successful and thus provide an excellent return on investment. 

Additional value adds will include:

Risk Assessment: Tabletop exercises help identify vulnerabilities and risks within the organization. By playing out scenarios, companies can pinpoint potential weaknesses in their processes, systems, and resources.

Preparedness and Risk Reduction: They help organizations prepare for unexpected events. Knowing how to respond to a crisis can minimize damage and downtime and prevent costly mistakes.

Team Building: Tabletop exercises promote teamwork and collaboration among employees. Participants must work together to solve problems and make decisions, which can strengthen relationships and improve communication within the team.

Decision-Making Practice: They provide an opportunity for leadership teams to practice decision-making under pressure. This can help leaders become more confident and effective in crisis situations.

Learning Opportunities: Tabletop exercises are a safe space to make mistakes and learn from them. Organizations can review what went wrong and use these insights to refine their procedures.

Resource Allocation: By running scenarios, companies can assess their resource allocation and make informed decisions about where to invest in additional resources or training.

Regulatory Compliance: Many industries have regulatory requirements for crisis preparedness and response. Conducting tabletop exercises can help ensure compliance with these regulations.

Communication Skills: They help improve communication both within the organization and with external stakeholders. Effective communication is crucial during a crisis and practicing it in a controlled environment can enhance those skills.

Adaptation and Innovation: Tabletop exercises can reveal the need for new strategies or technologies to address emerging threats or challenges, leading to innovation and adaptation.

Confidence and Resilience: Regular exercises can boost the confidence of employees, knowing that they have practiced and can handle various crisis scenarios. This can lead to a more resilient organization.

Documentation and Documentation Review: Tabletop exercises often involve the creation and review of plans and documentation. This ensures that response plans are up to date and reflect the current state of the organization.

Continuous Improvement: After each exercise, organizations can issue After-Action Reports (AARs) and conduct debriefs to assess their performance and identify areas for improvement. This cycle of assessment and adjustment contributes to continuous improvement in crisis management capabilities.

 

Types of Exercises

To holistically validate the IR program, organizations must simulate multiple scenarios when addressing cyber risk.  External and internal threats are looking to take any advantage they can including vulnerabilities in your people, processes, and technologies.  Here is a starter list of scenarios that all programs should consider.

Data Breach Scenario: Simulate a scenario where sensitive customer data is breached. This exercise can help assess how well the organization can detect, contain, and mitigate data breaches while complying with data protection regulations like PIPEDA, GDPR or HIPAA.

Ransomware Attack: Focus on a ransomware attack scenario, where the organization’s systems and data are encrypted, and the attacker demands a ransom. This exercise can help test backup and recovery procedures and incident communication plans.

Phishing Attack: Simulate a phishing attack that results in compromised user accounts or sensitive information leakage. This exercise evaluates the organization’s ability to identify phishing attempts, educate employees, and respond to compromised accounts.

Advanced Persistent Threat (APT): Develop a scenario involving a persistent and highly skilled attacker attempting to infiltrate the organization over an extended period. APT exercises assess the organization’s ability to detect and respond to sophisticated attacks.

Distributed Denial of Service (DDoS) Attack: Test the organization’s response to a DDoS attack that disrupts services. This exercise evaluates network resilience, incident detection, and communication plans.

Insider Threat: Simulate an insider threat scenario where an employee with malicious intent tries to steal sensitive data or disrupt operations. This exercise assesses how well the organization can detect and respond to insider threats.

Supply Chain Attack: Explore a scenario where a trusted third-party vendor or supplier is compromised, leading to a breach within the organization. Supply chain exercises help evaluate vendor risk management and incident response coordination.

Zero-Day Vulnerability: Create a scenario involving a previously unknown vulnerability (zero-day) being exploited by attackers. This exercise focuses on patch management, vulnerability scanning, and incident response agility.

Social Engineering Attack: Test the organization’s susceptibility to social engineering attacks, such as pretexting, baiting, or tailgating. These exercises assess employee awareness and response to social engineering tactics.

Business Continuity and Disaster Recovery (BC/DR): Include a scenario where a cyber incident disrupts critical business operations. This exercise evaluates the organization’s BC/DR plans and the ability to recover from significant disruptions.

Legal and Regulatory Compliance: Focus on a scenario where a cyber incident triggers legal or regulatory obligations, such as reporting to authorities or notifying affected parties. This exercise assesses compliance with relevant laws and regulations.

Cross-Functional Tabletop Exercise: Bring together representatives from various departments (IT, legal, HR, PR, etc.) to simulate a comprehensive incident response. This type of exercise ensures coordination and communication across the organization.

Wargaming: Develop a strategic exercise where participants take on different roles, including attackers, defenders, and decision-makers, to simulate real-world cyber conflicts. This exercise helps organizations refine their incident response strategy.

Public Relations: Focus on a scenario where a cyber incident triggers a media response, such as mass data breach, ransomware attack, or  attack resulting in loss of critical service offerings.

Business Email Compromise: Simulate a scenario where an attacker gains access to an employee’s corporate email account.  This exercise will assess how well the organization can detect and respond to an attackers attempt to drive employee action using seemingly authorized instruction from a “trusted” account / source.

Post-Incident Review: After experiencing a real cyber incident, conduct a tabletop exercise to review the response actions taken during the incident and identify areas for improvement.

 

Program Objectives

Customizing tabletop exercises to an organization’s specific needs and industry is crucial for effective incident response preparedness. For maximum value, you should always develop exercise objectives that align with your organization’s risk profile and regulatory requirements. 

Understanding potential threat actor motivation (financial gain, intellectual, service disruption, etc.), methods (how), and means (ex. well-funded criminal organizations) those actors would leverage will help you develop impactful exercise objectives and roadmap.